Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azurerm_cosmosdb_account: support for CMK through managed_hsm_key_id property #26521

Merged
merged 3 commits into from
Oct 31, 2024

Conversation

wuxu92
Copy link
Contributor

@wuxu92 wuxu92 commented Jul 2, 2024

Community Note

  • Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

  1. This PR introduces common helpers in internal/customermanagedkeys/ to parse and flatten CMKs from KeyVault or MHSM, and to generate the necessary configuration for AccTest requiring a Managed HSM key.
  2. This PR adds support for managed HSM keys in Cosmos DB account resources.

PR Checklist

  • I have followed the guidelines in our Contributing Documentation.
  • I have checked to ensure there aren't other open Pull Requests for the same update/change.
  • I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
  • I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
  • I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
    For example: “resource_name_here - description of change e.g. adding property new_property_name_here

Changes to existing Resource / Data Source

  • I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
  • I have written new tests for my resource or datasource changes & updated any relevent documentation.
  • I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
  • (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

  • My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)
=== PAUSE TestAccCosmosDBAccount_ManagedHSMUri
=== CONT  TestAccCosmosDBAccount_ManagedHSMUri
--- PASS: TestAccCosmosDBAccount_ManagedHSMUri (3225.82s)
PASS
ok      github.com/hashicorp/terraform-provider-azurerm/internal/services/cosmos  3225.831s

image

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

This is a (please select all that apply):

  • Bug Fix
  • New Feature (ie adding a service, resource, or data source)
  • Enhancement
  • Breaking Change

Related Issue(s)

Fixes #26357

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

Copy link
Collaborator

@magodo magodo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR!
I've taken a look through and left some comments inline, but this is mostly looking good to me 👍

@magodo
Copy link
Collaborator

magodo commented Jul 5, 2024

@wuxu92 Thank you and it now LGTM!

@wuxu92 wuxu92 marked this pull request as ready for review July 5, 2024 05:53
return ""
}

func parseKeyvauleID(keyRaw string, requireVersion VersionType) (*parse.NestedItemId, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we're going to need the Key Vault Environment here in the future, for when the Key Vault nested items take the environment, so we should probably thread that through now, since this'll be used in a bunch of places?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reasonable, I pushed a commint to update it.

Comment on lines 1 to 13
package customermanagedkeys

import (
"fmt"
"strings"

"github.com/hashicorp/go-uuid"
)

// ManagedHSMKeyTempalte: Helper function to generate a template for HSM key acceptance tests
// Ensure `azurerm_client_config.current` datasource is defined before using this template.
// Verify there are no resource address conflicts in the caller of this template.
func ManagedHSMKeyTempalte(randomInteger int, randomString string, purgeProtectionEnabled bool, principalRefs []string) string {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets not do this, we should not be sharing test configuration between services as sometimes different services require slightly different setups. Not to mention it moves the test config away from the tests

so could we please change this to maybe CosmosDBManagedHSMKeyTempalte and include it in the cosmosdb service folder somewhere?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review. I removed this file and moved the test configuration to the Cosmos DB account's test file.

tested with an exsiting hsm key:

--- PASS: TestAccCosmosDBAccount_ManagedHSMUri (952.33s)
PASS

Copy link
Member

@mbfrahry mbfrahry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @wuxu92, I took another pass. Could you take a look?

Description: "The versionless encryption key url.",
},

"managed_hsm_key_id": {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this is only specified in the schema. Can we revert this change and open another PR for this change if we're looking to add it to netapp account encryption?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed and rebased main branch to resolve the conflict.


// FlattenKeyVaultOrManagedHSMID uses `KeyVaultOrManagedHSMKey.SetState()` to save the state, which this function is designed not to do.
func FlattenKeyVaultOrManagedHSMID(id string, keyVaultEnv, hsmEnv environments.Api) (*KeyVaultOrManagedHSMKey, error) {
_ = keyVaultEnv
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be here? It doesn't look like keyVaultEnv is being used in this function at all

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I placed the keyvault environment here for future use, similar to the HSM environment. I removed it for now, but we can add it back when needed.

// ManagedHSMKeyTempalte: Helper function to generate a template for HSM key acceptance tests
// Ensure `azurerm_client_config.current` datasource is defined before using this template.
// Verify there are no resource address conflicts in the caller of this template.
func ManagedHSMKeyTempalte(randomInteger int, randomString string, purgeProtectionEnabled bool, principalRefs []string) string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do like the idea of having a template for hsm as it's complicated to get going but I also saw in other resources that the setup for hsm was different.

Also, having a template used across services makes it possible that if the template changes for a certain resource, it could break the tests in other resources.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I removed the file and moved the config content to the specific test case.

wantErr: false,
},
{
name: "fail with no version provided",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe we should fail if the version isn't specified as some resources take versionless ids

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also expand these tests to include versioned ids?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added new test case for versionless key vault id.

Copy link
Member

@mbfrahry mbfrahry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for getting all those changes in @wuxu92

@mbfrahry mbfrahry changed the title azurerm_cosmosdb_account: support CMK from Managed HSM with managed_hsm_key_id property azurerm_cosmosdb_account: support for CMK through managed_hsm_key_id property Oct 31, 2024
@mbfrahry mbfrahry added this to the v4.8.0 milestone Oct 31, 2024
@mbfrahry mbfrahry merged commit 0b8ca05 into hashicorp:main Oct 31, 2024
37 checks passed
mbfrahry added a commit that referenced this pull request Oct 31, 2024
@wuxu92 wuxu92 deleted the cmk/helpers branch October 31, 2024 01:17
Copy link

github-actions bot commented Dec 2, 2024

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

azurerm_cosmosdb_account - Support for Key Vault Keys from a Managed HSM
7 participants